From 7cfb3d2873f0e281e20ccd5ff004746eb4bd4ce5 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Tue, 6 Mar 2018 09:24:04 +0000
Subject: ofz: timeout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I7cdd39f51943bd97e0e0931f44d3338a23044ab0
Reviewed-on: https://gerrit.libreoffice.org/50802
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 emfio/source/reader/wmfreader.cxx                  |  23 +++++++++++----------
 .../graphicfilter/data/wmf/fail/exttextout-2.wmf   | Bin 0 -> 54196 bytes
 2 files changed, 12 insertions(+), 11 deletions(-)
 create mode 100644 vcl/qa/cppunit/graphicfilter/data/wmf/fail/exttextout-2.wmf

diff --git a/emfio/source/reader/wmfreader.cxx b/emfio/source/reader/wmfreader.cxx
index e82d756f28b2..eafff0378716 100644
--- a/emfio/source/reader/wmfreader.cxx
+++ b/emfio/source/reader/wmfreader.cxx
@@ -1387,7 +1387,7 @@ namespace emfio
 
             if( mnEndPos - mnStartPos )
             {
-               bool bEMFAvailable = false;
+                bool bEMFAvailable = false;
                 while( true )
                 {
                     mnCurrentAction++;
@@ -1404,6 +1404,15 @@ namespace emfio
 
                         break;
                     }
+
+                    const sal_uInt32 nAvailableBytes = mnEndPos - nPos;
+                    const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2;
+                    if (mnRecSize > nMaxPossibleRecordSize)
+                    {
+                        mpInputStream->SetError(SVSTREAM_FILEFORMAT_ERROR);
+                        break;
+                    }
+
                     if ( !bEMFAvailable )
                     {
                         if(   !maBmpSaveList.empty()
@@ -1448,16 +1457,8 @@ namespace emfio
                         }
                     }
 
-                    const sal_uInt32 nAvailableBytes = mnEndPos - nPos;
-                    const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2;
-
-                    if (mnRecSize <= nMaxPossibleRecordSize)
-                    {
-                        nPos += mnRecSize * 2;
-                        mpInputStream->Seek(nPos);
-                    }
-                    else
-                        mpInputStream->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                    nPos += mnRecSize * 2;
+                    mpInputStream->Seek(nPos);
                 }
             }
             else
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/exttextout-2.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/exttextout-2.wmf
new file mode 100644
index 000000000000..02c72ad88fa8
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/exttextout-2.wmf differ
-- 
cgit